In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency. OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.” OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures. Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization. OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient. HIPAA also allows covered entities to release patient information without authorization for certain public health activities. A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability. Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority. In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law. Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information. A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations. Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies. For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies. Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient. If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences. General information about a patient’s condition includes critical or stable, deceased, or treated and released. OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act. The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency. The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol. Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.

Medical Equipment and Sales: The OIG plans to examine 10 areas regarding equipment and supplies, including issues relating to power mobility devices, lower limb prosthetics, nebulizer machines and related drugs, diabetes testing supplies, and the payment system for renal dialysis services and drugs. The OIG will also review claims for frequently replaced medical equipment supplies to determine supplier compliance with medical necessity, frequency, and other Medicare requirements, noting that suppliers have automatically shipped certain device supplies without physician orders for refills.

Other Providers: The OIG plans to review other providers’ policies, practices, and billings and payments, including ambulance, anesthesia, chiropractic, diagnostic radiology, imaging, and clinical laboratory services. The OIG also will examine inappropriate and questionable billing by ophthalmologists, physician place of service coding errors, high use of outpatient physical therapy services, supplier compliance with transportation and set-up fee requirements for portable X-ray equipment, and high use of sleep-testing procedures by sleep disorder clinics.

Prescription Drugs: The OIG will review several areas relating to prescription drugs. Of note, the OIG plans to examine payments for drugs purchased under the 340B Drug Pricing Program by determining how much Medicare Part B spending could be reduced if Medicare could share the savings for drugs purchased under the 340B program.

Part A and B Contractors: The OIG plans to examine seven areas relating to oversight of contracts and contractor functions and performance.

Information Technology Security, Protected Health Information, and Data Accuracy: Of note, the OIG plans to examine whether CMS oversight of hospitals’ security controls over networked medical services is adequate to protect electronic-protected health information. The OIG states that computerized medical devices that are integrated with electronic medical records and a health network are a growing threat to the security and privacy of health information. These medical devices monitor a patient’s health status and transmit and receive health data.

Other Part A and Part B Program Management Issues: The OIG will examine enhanced enrollment screening procedures for Medicare providers under the ACA. For the first time, the OIG will conduct a risk assessment of the Pioneer Accountable Care Organization Model.

Medicare Part C and Part D: The OIG plans several activities regarding Medicare Part C and Part D, including Medicare Advantage Organizations’ compliance with Part C requirements, ensuring dual -eligible patient access to drugs under Part D, and Part D billing and payments including Medicare Part D payments for HIV drugs for deceased beneficiaries.

Medicaid Program: The OIG will investigate several areas relating to Medicaid, noting that protecting Medicaid from fraud, waste, and abuse takes on a heightened urgency as the program continues to expand. Thus, the OIG will investigate a variety of areas in the Medicaid program, including state claims for drug rebates and claims for federal reimbursement. The OIG will also review Medicaid payments by states for home health services and other community-based care, including determining whether adult day care services providers complied with federal and state requirements and whether home health agency health care workers were screened in accordance with federal and state requirements. In addition, the OIG will review issues relating to medical equipment and supplies, transportation, health care-acquired conditions, and managed care. Finally, the OIG will review a variety of issues regarding state management, funding, oversight, and payment for Medicaid.

Other: The OIG plans to review and investigate many other areas. For the first time, the OIG will determine the extent to which hospitals comply with the contingency planning requirements found in the Health Insurance Portability and Accountability Act (HIPAA), as well as compare the hospitals’ contingency plans with government and industry recommended practices.

The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) recently released its 2015 Work Plan. The OIG’s Work Plan outlines the reviews and activities the OIG plans to pursue during the 2015 fiscal year. Thus, the Work Plan gives health care providers an overview of the OIG’s enforcement priorities for the coming year.

The highlights from the OIG’s 2015 Work Plan are summarized in two separate posts. This first post focuses on hospitals, nursing homes, hospice, and home health providers.

Hospitals: The OIG’s 2015 Work Plan places a major emphasis on hospitals, focusing its review of hospital activities in 22 areas. For the first time, the OIG will focus on adverse events in post-acute care for Medicare beneficiaries. The OIG will estimate the national incidence of adverse and temporary harm events for Medicare beneficiaries who receive care in long-term care hospitals, identify factors contributing to these events, determine the extent that the events were preventable, and estimate the costs to Medicare. According to the OIG, long-term care hospitals are the third most common type of post-acute care facility and account for almost 11 percent of Medicare costs for post-acute care.

The OIG also is focusing on the following hospital-related policies and practices, billing and payment, and quality of care and safety areas.

The OIG will study the impact of 2014 inpatient admission criteria known as the “two midnight policy.” The criteria require physicians to admit for inpatient care only those beneficiaries who are expected to need at least two nights of hospital care. If the beneficiary’s care is expected to last less than two nights, the beneficiary should be treated as an outpatient. The OIG plans to study the impact of the new inpatient admission criteria on hospital billing, Medicare payments, and beneficiary co-payments, as well as determine how billing varied among hospitals.

The OIG will compare the Medicare payments for physician office visits in provider-based clinics and freestanding clinics to determine the difference in payments for similar procedures.

The OIG will determine the extent to which provider-based facilities meet the criteria of the Centers for Medicare and Medicaid Services (CMS). The OIG noted the financial incentives to bill as provider-based facilities because provider-based status allows facilities owned and operated to bill as hospital outpatient departments.

The OIG will examine other policies and practices that include: reconciliation of outlier payments; costs associated with defective medical devices; salaries included in Medicare cost reports; and the payment policies for swing-bed services.

The OIG will examine other quality of care and safety issues in hospitals including hospital privileging, adverse events in inpatient rehabilitation facilities, and participation in projects with quality improvement organizations.

Nursing Homes: The OIG will review several areas relating to nursing homes, including Medicare Part A billing by skilled nursing facilities. The OIG stated that skilled nursing facilities increasingly bill for the highest level of therapy even though beneficiary characteristics did not change and that in 2009 skilled nursing homes billed one-quarter of all claims in error. In addition, the OIG will review questionable billing patterns for Part B services during nursing home stays. Congress directed the OIG to monitor Part B billing for abuse during non-Part A stays to ensure that excessive services are not provided. Of note, the OIG will also review the extent that Medicare beneficiaries in nursing homes are hospitalized for manageable and preventable conditions.

Hospices:The OIG will continue its focus on hospice care, specifically two areas in 2015: hospices in assisted living facilities and the use of hospice general inpatient care. As part of its review of the extent that hospice plans serve Medicare beneficiaries who reside in assisted living facilities, the OIG will determine the length of stay, levels of care received, and common terminal illnesses. The OIG’s work is intended to provide HHS with information as part of the Affordable Care Act (ACA) requirement that CMS reform the hospice payment system, collect data relating to hospice payment revisions, and develop quality measures for hospice. The OIG will assess the appropriateness of a hospice program’s general inpatient care claims, including a review of hospice medical records to address concerns that the inpatient level of hospice care is misused.

Home Health Services:The OIG will review compliance with the home health prospective payment system, notably the documentation required in support of Medicare claims. In addition, the OIG will examine the extent to which home health agencies employed individuals with criminal convictions.

Address

About Gordon & Rees

Gordon & Rees is a national litigation and business transactions firm with more than 800 attorneys across the United States. We deliver maximum value to our clients by combining the resources, size, and scale of a full-service national firm with the responsiveness, flexibility, and local knowledge of a regional firm.